Crash in Item_func::fix_fields on second execution of a prepared statement with semijoin
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
MariaDB |
Fix Released
|
Undecided
|
Sergey Petrunia |
Bug Description
The following query:
SELECT *
FROM t2
LEFT JOIN t1 ON t2.a != 0
AND ( 'j' , 'r' ) IN (
);
crashes as follows when executed twice as a prepared statement with semijoin:
#4 <signal handler called>
#5 0x081d838c in Item_ref:
#6 0x081f3adb in Item_func:
#7 0x08215327 in Item_cond:
#8 0x08249bee in Item_in_
where_
#9 0x08249e13 in Item_in_
at item_subselect.
#10 0x083e3ea6 in JOIN::choose_
#11 0x0832364a in make_join_
at sql_select.cc:3544
#12 0x0831b23c in JOIN::optimize (this=0xae635280) at sql_select.cc:1112
#13 0x081b63c2 in st_select_
#14 0x083e3bcf in JOIN::optimize_
#15 0x0831ce0e in JOIN::optimize (this=0xae62cdf0) at sql_select.cc:1621
#16 0x08321015 in mysql_select (thd=0x9c3c6b8, rref_pointer_
fields=..., conds=0x0, og_num=0, order=0x0, group=0x0, having=0x0, proc_param=0x0, select_
result=
#17 0x08318e6b in handle_select (thd=0x9c3c6b8, lex=0xae628de0, result=0xae62ac88, setup_tables_
at sql_select.cc:283
#18 0x082b3cb9 in execute_
#19 0x082aaaca in mysql_execute_
#20 0x08363658 in Prepared_
at sql_prepare.cc:3735
#21 0x08362b73 in Prepared_
packet=0x0, packet_end=0x0) at sql_prepare.cc:3416
#22 0x08361442 in mysql_sql_
#23 0x082aaaf3 in mysql_execute_
#24 0x082b62e8 in mysql_parse (thd=0x9c3c6b8, rawbuf=0xae612a10 "EXECUTE st1", length=11, found_semicolon
at sql_parse.cc:6102
#25 0x082a8710 in dispatch_command (command=COM_QUERY, thd=0x9c3c6b8, packet=0x9c95549 "EXECUTE st1", packet_length=11)
at sql_parse.cc:1221
#26 0x082a7b6b in do_command (thd=0x9c3c6b8) at sql_parse.cc:916
#27 0x082a4af5 in handle_
#28 0x00821919 in start_thread () from /lib/libpthread
#29 0x0076acce in clone () from /lib/libc.so.6
minimal optimizer switch: semijoin=on;
full optimizer switch: index_merge=
explain:
id select_type table type possible_keys key key_len ref rows Extra
1 PRIMARY t2 system NULL NULL NULL NULL 0 const row not found
1 PRIMARY t1 system NULL NULL NULL NULL 0 const row not found
2 DEPENDENT SUBQUERY NULL NULL NULL NULL NULL NULL NULL Impossible WHERE noticed after reading const tables
revision-id: <email address hidden>
date: 2011-09-10 18:01:27 +0300
build-date: 2011-09-14 09:12:12 +0300
revno: 3183
branch-nick: maria-5.3
test case:
SET SESSION optimizer_switch = 'semijoin=on';
CREATE TABLE t1 (a int);
CREATE TABLE t2 (a int);
CREATE TABLE t3 (a int, b int) ;
PREPARE st1 FROM "
SELECT *
FROM t2
LEFT JOIN t1 ON t2.a != 0
AND ( 'j' , 'r' ) IN (
);
";
EXECUTE st1;
EXECUTE st1;
Changed in maria: | |
milestone: | none → 5.3 |
assignee: | nobody → Sergey Petrunia (sergefp) |
Changed in maria: | |
status: | New → Fix Committed |
Changed in maria: | |
status: | Fix Committed → Fix Released |
The crash happens here:
#0 Item_in_ subselect: :create_ row_in_ to_exists_ cond (... subselect: :create_ in_to_exists_ cond (... subquery_ plan (... statistics (... lex::optimize_ unflattened_ subqueries (... unflattened_ subqueries (...
#1 0x08268a05 in Item_in_
#2 0x0842218d in JOIN::choose_
#3 0x0836fec0 in make_join_
#4 0x08371701 in JOIN::optimize (...
#5 0x081b9b11 in st_select_
#6 0x08423139 in JOIN::optimize_
#7 0x08373355 in JOIN::optimize (...
We execute this code:
new Item_func_eq(new
Item_ direct_ ref(&select_ lex->context,
( *optimizer- >get_cache( ))->
addr( i),
( char *)"<no matter>",
( char *)in_left_ expr_name) ,
new
Item_ direct_ ref(&select_ lex->context,
select_ lex->
ref_ pointer_ array+i,
( char *)"<no matter>",
( char *)"<list ref>"));
and during fist execution >get_cache( ))->addr( i))
(gdb) p *((*optimizer-
$89 = (Item_cache_str *) 0xb48c0b8
while during the second:
(gdb) p *((*optimizer- >get_cache( ))->addr( i))
$93 = (Cannot access memory at address 0x0